{
	"id": "c2a70b4d-53d1-4340-894d-0406b686510c",
	"created_at": "2026-04-06T00:19:30.511261Z",
	"updated_at": "2026-04-10T03:23:51.423115Z",
	"deleted_at": null,
	"sha1_hash": "791ea1c15552470d2dab98aa720022907dac5fbb",
	"title": "Casper Malware: After Babar and Bunny, Another Espionage Cartoon",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 655660,
	"plain_text": "Casper Malware: After Babar and Bunny, Another Espionage\r\nCartoon\r\nBy Joan Calvet\r\nArchived: 2026-04-05 20:47:17 UTC\r\nIn March 2014, French newspaper Le Monde revealed that France is suspected by the Communications Security\r\nEstablishment Canada (CSEC) of having developed and deployed malicious software for espionage purposes. This\r\nstory was based on presentation slides leaked by Edward Snowden, which were then published by Germany’s Der\r\nSpiegel in January 2015.\r\nAccording to the CSEC presentation, the malicious software in question is called “Babar” by its creators, likely\r\nafter the famous French cartoon character “Babar The Elephant”. Since then, several malware researchers have\r\nbegun to work on the enigma that is Babar. Marion Marschalek (Cyphort) struck first, with her report on the\r\n“Bunny” malware. Bunny shares some characteristics with the Babar malware described by CSEC. In mid-February, Marion published another report, this time on the actual Babar case, explaining in great detail its spying\r\nfeatures. At the same time, Paul Rascagnères (G Data) published a blog post on the similarities between Babar and\r\nBunny, and showed that they were very probably related to the malware described in the CSEC’s slides.\r\nIn this blog post, we lift the veil on another piece of software that we believe to have been created by the same\r\norganization that is behind Babar and Bunny. This component is called “Casper” by its authors – presumably\r\nnamed after yet another famous cartoon character.\r\nCasper was used against Syrian targets in April 2014, which makes it the most recent malware from this group\r\npublicly known at this time. To attack their targets, Casper’s operators used zero-day exploits in Adobe Flash, and\r\nthese exploits were – surprisingly – hosted on a Syrian governmental website. Casper is a well-developed\r\nreconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the\r\nspecific strategies adopted against antimalware software.\r\nContext\r\nIn mid-April 2014, Vyacheslav Zakorzhevsky (Kaspersky) observed that the website \"jpic.gov.sy\" was hosting\r\ntwo Flash zero-day exploits, targeting the vulnerability later labeled CVE-2014-0515. This website was set up in\r\n2011 by the Syrian Justice Ministry apparently to allow Syrian people to ask for reparation for the damage of the\r\ncivil war. The website is still online and apparently currently clean, although it was defaced in September 2014 by\r\nsome \"hacktivist\".\r\nAt the time of the events, Zakorzhevsky could not retrieve the payloads distributed by these Flash zero-days\r\nexploits. ESET researchers were able to find two of these payloads, thanks to ESET LiveGrid® threat telemetry\r\nsystems. The URLs of these payloads and the dates when they were seen correspond to Zakorzhevsky’s\r\ndescription.\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 1 of 11\n\nIn a joint effort with Marion Marschalek, Paul Rascagnères, and researchers from the Computer Incident\r\nResponse Center Luxemboug (CIRCL), we were recently able to determine that the payloads distributed were\r\nvery likely developed by the same actors who developed the Babar and Bunny software.\r\nCasper Binary Analysis\r\nThe two samples we found are the same core program but differently packaged. The first sample is an executable\r\ndropping the core program and making it persistent on the machine. The second is a Windows library that deploys\r\nthe core program directly into memory, also in the form of a library. In this latter case, the name of the core\r\nprogram library was left visible by its creators: “Casper_DLL.dll”.\r\nThroughout this blog, we will focus on the first of these two payloads, the second one being similar in terms of\r\nbehavior.\r\nDropper\r\nThe dropper is named “domcommon.exe” and its compilation date is set to the June 18th, 2010. This is very likely\r\na forged date, as we will explain later.\r\nIts execution is based on an XML configuration file decrypted at runtime with the RC4 algorithm and a hardcoded\r\n16-byte key. Before the decryption, the program uses a checksum computation to make sure the memory area\r\ncontaining the decryption key has not been modified. Figure 1 shows the dropper’s decrypted configuration file.\r\nFigure 1 - Casper Dropper Configuration File\r\nCasper Playing Chess against Antivirus\r\nFirstly, the dropper extracts the \u003cSTRATEGY\u003e tag from its configuration file. This tag defines precisely how the\r\nmalware should behave, depending on which antivirus is present on the machine.\r\nChoosing the appropriate strategy\r\nFirst, the dropper retrieves the name of any antivirus that may be running on the machine by executing the\r\nWindows Management Instrumentation (WMI) request “SELECT * FROM AntiVirusProduct” and fetching the\r\n“displayName” field from the result. If an \u003cAV\u003e tag exists in the configuration file with a “NAME” attribute\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 2 of 11\n\nmatching the name of an installed antivirus product, it will be set as the execution strategy. In this case, four\r\nantivirus products have a defined strategy.\r\nIf no strategy is found for the running antivirus, or if no antivirus is protecting the computer, the default strategy\r\ndescribed in the \u003cSTRATEGY\u003e tag’s attributes will be applied. Alternatively, if a file named \"strategy.xml\" is\r\npresent in the dropper’s folder, it will override the strategy from the configuration file.\r\nPossible Moves\r\nA strategy is a set of attributes that influences both the dropper and the payload execution. Some of these\r\nattributes define how to realize certain actions, whereas the others define whether to perform certain actions. The\r\nfollowing array describes the various “moves” offered by these attributes.\r\nAttribute Attribute Purpose\r\nPossible\r\nValue\r\nValue Meaning\r\nRUNKEY\r\nDefines how the dropper will\r\ninteract with the Windows\r\nregistry in order to be persistent\r\non the machine\r\nAPI\r\nCalls to Windows API functions\r\n(RegOpenKeyEx, RegQueryValueEx…)\r\n#rowspan# BAT\r\nExecution of a batch file containing “reg”\r\ncommands\r\n#rowspan# REG\r\nExecution of “reg” commands in a\r\ncommand prompt process\r\n#rowspan# WMI\r\nCalls to methods of the StdRegProv WMI\r\nclass\r\nAUTODEL\r\nDefines how the dropper will\r\nremove itself from the machine\r\nafter its execution\r\nDEL\r\nExecution of a command line in a\r\ncommand prompt process\r\n#rowspan# API\r\nCall to MoveFileEx API function to\r\ndelete the dropper during the next restart\r\nof the system\r\n#rowspan# WMI\r\nExecution of a command line in a\r\ncommand prompt process created through\r\nthe Create method of the Win32_Process\r\nWMI class\r\nINJECTION Defines whether the dropper\r\nand the payload will inject their\r\nYES/NO N/A\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 3 of 11\n\nAttribute Attribute Purpose\r\nPossible\r\nValue\r\nValue Meaning\r\ncode into a new process, or\r\nexecute it in the initial process\r\nSAFENOTIF\r\nDefines whether or not the\r\npayload will contact the C\u0026C\r\nserver\r\nYES/NO N/A\r\nSERVICE\r\nLikely defines how to interact\r\nwith Windows services, but the\r\ncode managing this attribute is\r\nmissing in these Casper samples\r\nAPI N/A\r\n#rowspan# SC N/A\r\nESCAPE\r\nDefines whether the dropper\r\nwill execute normally, or simply\r\nexit\r\nYES/NO N/A\r\nSCHEDULER\r\nUnknown. The code managing\r\nthis attribute is missing in these\r\nCasper samples\r\nCMD N/A\r\nThe possibilities offered by this \u003cSTRATEGY\u003e tag show that Casper’s authors have acquired an in-depth\r\nknowledge of behavioral detections in certain antivirus products.\r\nFor example, process injection will only happen on machines with none of the four defined antiviruses running,\r\nsince in such a case the “INJECTION” attribute will be set to “NO”. Interestingly, three antiviruses have the\r\n“ESCAPE” attribute set to “YES”, which means the dropper will simply uninstall itself in their presence without\r\ndeploying Casper’s payload.\r\nAs the list of \u003cAV\u003e tags is pretty short, we can speculate that these are the antiviruses Casper’s authors expect to\r\nfind on their targets. For the record, the “VERSION” attribute present in one \u003cAV\u003e tag is actually never used in\r\nthe code, but it still indicates the intention to distinguish different versions of the same antivirus product. We very\r\nrarely see this level of precision employed in malware in order to bypass antivirus.\r\nTime To Drop The Payload\r\nIn the event that the “ESCAPE” attribute is set to “NO” in the chosen strategy – as is the case with the default\r\nstrategy – the dropper will then execute the commands provided in the form of XML tags in the configuration file,\r\nas shown in Figure 2.\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 4 of 11\n\nFigure 2 – Casper Dropper’s Commands\r\nUninstalling previous versions\r\nThe first command instructs the dropper to remove other Casper instances that could possibly be running on the\r\nsystem. The corresponding \u003cUNINSTALL\u003e tag comes with a “name” attribute, which will be prefixed with the\r\nBIOS constructor name retrieved from the Windows registry (Intel, NEC…) before being used as an identifier.\r\nThis prefixing is likely meant to avoid drawing the user’s attention if he or she happened to notice the identifier.\r\nThe program is uninstalled in two steps, each step addressing different methods of persistence employed by\r\nCasper:\r\nIf it exists, the scheduled task whose name matches the identifier is removed from the system\r\nIf it exists, the application registered with the identifier in the Windows registry is removed from the\r\nsystem\r\nPayload installation\r\nThe payload installation is then directed by the \u003cINSTALL\u003e tag, which provides two versions of the payload, one\r\nfor 32-bit machines (\u003cx86\u003e) and another one for 64-bit machines (\u003cx64\u003e).\r\nThe attributes of the \u003cINSTALL\u003e tag will then be used by one of the two installation methods previously\r\nmentioned. If the operating system is Windows 7 or newer, persistence will be set through a scheduled task;\r\notherwise it will be set through the Windows registry key\r\n“HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”.\r\nThe \u003cINSTALL\u003e tag provides an argument to give to the payload. The exact value of the argument is critical to\r\nthe “correct” execution of the payload. The actual verification in the payload is subtle: the argument is used in a\r\ncustom algorithm to find library functions in memory. Unless the value is correct, the addresses of these library\r\nfunctions will be wrong, resulting in a random-looking crash of the payload.\r\nDropper cleans itself\r\nBefore terminating its execution, the dropper removes itself from the system, using the method defined in the\r\nAUTODEL attribute. It should be noted that the payload is not launched at this moment: it will be run only at the\r\nnext startup thanks to the previous persistence method.\r\nPayload\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 5 of 11\n\nSimilarly to the dropper, Casper payload’s execution is based on an XML configuration file decrypted at run-time,\r\nand shown in Figure 3.\r\nFigure 3 - Casper's Payload Configuration File\r\nThis configuration file starts with a timestamp, which corresponds to Monday, the 7th April 2014 at 21:27:05\r\nGMT. Therefore, the compilation timestamps – set to 2010 – have very likely been forged.\r\nA series of \u003cPARAM\u003e tags will then control the payload’s behavior, as described in the following array.\r\nattribute Purpose\r\nID\r\nUnknown. It could be used to distinguish operations, as the value is the same in the two\r\npayloads hosted on “jpic.gov.sy”.\r\nREGKEY Path in the Windows registry that will be used as storage area\r\nURL C\u0026C server’s URL\r\nKEY Cryptographic key for the communications with the C\u0026C server\r\nDELAYMIN\r\nDELAYMAX\r\nDELAYRETRY\r\nTimers to configure the frequency of the contacts with the C\u0026C server\r\nThe payload then generates a unique identifier for the machine and inserts it at the end of the configuration in a\r\n\u003cUID\u003e tag. Finally, the configuration is RC4-encrypted and stored in the Windows registry.\r\nThe code handling the configuration shows certain capabilities not exploited in these Casper samples, for example\r\na TIMETOLIVE attribute to plan the termination of Casper after a certain amount of time, or a\r\nDELAYED_START attribute to wait before interacting with the system.\r\nFinally, the payload’s configuration contains the exact same \u003cSTRATEGY\u003e as the dropper.\r\nReport to C\u0026C\r\nDuring its first execution, Casper’s payload executes the following XML file:\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 6 of 11\n\nThe handler of the “SYSINFO” command retrieves information about the system and builds a report containing\nseveral sections, as shown in Figure 4.\nFigure 4 - SYSINFO Command's Result\nThe titles of the report sections are self-explanatory. Interestingly, the version of the malware is clearly mentioned:\n4.4.1. This report is then base64-encoded and sent to the C\u0026C server in the body of an HTTP POST request. It\nwill also be written into a temporary file named “perfaudio.dat”.\nThe network request will also have a cookie named “PREF” filled with the concatenation of the machine UID, the\nconfiguration ID, the version of Casper and the hardcoded character “R”, all base64-encoded.\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\nPage 7 of 11\n\nC\u0026C’s possible answers\r\nDue to the C\u0026C being down at the time of the investigation we can only speculate on the rest of the execution\r\nbased on Casper’s known capabilities.\r\nAt this point, the binary regularly contacts the C\u0026C server with a cookie similar to the one in the SYSINFO\r\nrequest, but this time with “G” as the hardcoded character instead of “R”. Our analysis of the binary reveals that\r\nthe server can then send back a PNG image – with the correct header and format for a PNG file -- from which a\r\nXML command file will be decrypted and executed.\r\nIn addition to the “SYSINFO” command, Casper can handle \u003cCOMMAND\u003e tags with the following values:\r\n“EXEC” to execute a program on the machine from its local path\r\n“SYSTEM” to execute commands in a Windows command prompt\r\nFinally, Casper can also handle \u003cPLUGIN\u003e tags, whose content is a Windows executable to deploy on the\r\nmachine.\r\nHow Does Casper Relate to the Other Cartoons?\r\nOur best chance of establishing that the same developers are behind Bunny, Babar and Casper is to identify\r\nunusual code or algorithms shared between these various programs. In our comparison we also take into account\r\nthe so-called “NBOT” malware (also known as the “TFC” malware), whose link with Babar and Bunny was\r\nestablished by Marion Marschalek in her Babar report. Here is a non-exhaustive list of such shared features we\r\nobserved:\r\nCasper hides its calls to API functions by using a hash calculated from the functions’ names, rather than the\r\nnames themselves. The hashing algorithm is a combination of rotate-left (ROL) of 7 bits and exclusive-or\r\n(XOR) operations. NBOT uses the exact same algorithm for the same purpose, whereas Babar hides its API\r\ncalls in a similar manner but with a different algorithm.\r\nCasper fetches information about the running antivirus in a way similar to Bunny, Babar, and NBOT,\r\nnamely through the same WMI request. Moreover, all these malwares compute the SHA-256 hash of the\r\nfirst word of the antivirus name, although in Casper it is actually never used.\r\nCasper generates delimiters for its HTTP requests by filling a specific format string with the results of calls\r\nto the GetTickCount API function. The same code is present in some NBOT samples, as shown in the\r\nfollowing array.\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 8 of 11\n\nExtract of Casper’s code\r\nExtract of NBOT’s code\r\nCasper removes its dropper by executing a Windows command created from the following format string:\r\ncmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST \"%hs\" (DEL \"%hs\" \u0026 SYSTEMINFO) ELSE EXIT\r\nIn some NBOT samples we can find the following similar syntax:\r\ncmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST \"%s\" (DEL \"%s\" \u0026 PING 127.0.0.1 -n 3) ELSE EXIT\r\nCasper uses an “ID” value set to “13001”, whereas Babar samples contain an ID of “12075-01”. Also, the\r\nmalware discovered in 2009 by the CSEC possesses an ID of “08184” (slide 8 of the CSEC slides). This\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 9 of 11\n\nsimilar format, and the increasing value in decimal, could indicate a familial link.\r\nNone of these signs alone is enough to establish a strong link but all the shared features together make us\r\nassess with high confidence that Bunny, Babar, NBOT and Casper were all developed by the same\r\norganization.\r\nVictimology\r\nAccording to our telemetry data, all the people targeted during this operation were located in Syria. These targets\r\nmay have been the visitors of the “jpic.gov.sy” website -- Syrian citizens who want to file a complaint. In this case\r\nthey could have been redirected to the exploits from a legitimate page of this website.\r\nBut we were actually unable to determine if this were indeed the case. In other words, it is just as likely that the\r\ntargets have been redirected to the exploits from another location, for example from a hacked legitimate website or\r\nfrom a link in an email. What is known for sure is that the exploits, the Casper binaries and the C\u0026C component\r\nwere all hosted on this website’s server.\r\nThis leads us to a second hypothesis: the “jpic.gov.sy” website could have been hacked to serve as a storage area.\r\nThis would have at least two advantages for the attackers: firstly, hosting the files on a Syrian server can make\r\nthem more easily accessible from Syria, a country whose Internet connection to the outside world has been\r\nunstable since the beginning of the civil war, as shown in Google Transparency Report. Secondly, it would\r\nmislead attribution efforts by raising suspicion against the Syrian government.\r\nConclusion\r\nAs previously explained, we are confident that the same group developed Bunny, Babar and Casper. The detailed\r\nanalysis of Babar in the CSEC slides from 2009 indicates this group is not a newcomer to the espionage business.\r\nThe use of zero-day exploits is another indication that Casper’s operators belong to a powerful organization.\r\nFinally, the narrow targeting of people in Syria shows a likely interest in geopolitics.\r\nNevertheless, we did not find any evidence in Casper itself to point a finger at a specific country. In particular, no\r\nsigns of French origin, as suggested by CSEC for Babar, were found in the binaries.\r\nHashes\r\nSHA1 Note\r\nESET Detection\r\nName\r\n75BF51709B913FDB4086DF78D84C099418F0F449 DLL Dropper Win32/ProxyBot.B\r\n7F266A5E959BEF9798A08E791E22DF4E1DEA9ED5 DLL Dropper Win32/ProxyBot.B\r\nE4CC35792A48123E71A2C7B6AA904006343A157A Executable Dropper Win32/ProxyBot.B\r\nF4C39EDDEF1C7D99283C7303C1835E99D8E498B0\r\nX86 Executable\r\nPayload\r\nWin32/ProxyBot.B\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 10 of 11\n\nSHA1 Note\r\nESET Detection\r\nName\r\nC2CE95256206E0EBC98E237FB73B68AC69843DD5\r\nX64 Executable\r\nPayload\r\nWin32/ProxyBot.A\r\nIndicators of Compromise\r\nIndicator Value\r\nDropper’s file name domcommon.exe\r\nPayload’s file name aiomgr.exe\r\nC\u0026C URLs hXXp://jpic.gov.sy/css/images/_cgi/index.php\r\nMutex name {4216567A-4512-9825-7745F856}\r\nKey for configuration decryption 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40\r\nTemporary file name perfaudio.dat\r\nImage: PAISAN HOMHUAN / Shutterstock.com\r\nSource: https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nhttps://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/"
	],
	"report_names": [
		"casper-malware-babar-bunny-another-espionage-cartoon"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434770,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/791ea1c15552470d2dab98aa720022907dac5fbb.pdf",
		"text": "https://archive.orkl.eu/791ea1c15552470d2dab98aa720022907dac5fbb.txt",
		"img": "https://archive.orkl.eu/791ea1c15552470d2dab98aa720022907dac5fbb.jpg"
	}
}